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Critical  Infrastructure  Information  Disclosure  and 
Homeland  Security 


Summary 

Critical  infrastructures  have  been  defined  as  those  systems  and  assets  so  vital 
to  the  United  States  that  the  incapacity  of  such  systems  and  assets  would  have  a 
debilitating  impact  on  the  United  States.  One  of  the  findings  of  the  President’s 
Commission  on  Critical  Infrastructure  Protection,  established  by  President  Clinton 
in  1996,  was  the  need  for  the  federal  govermnent  and  owners  and  operators  of  the 
nation’s  critical  infrastructures  to  share  information  on  vulnerabilities  and  threats. 
However,  the  Commission  noted  that  owners  and  operators  are  reluctant  to  share 
confidential  business  information,  and  the  government  is  reluctant  to  share 
information  that  might  compromise  intelligence  sources  or  investigations.  Among 
the  strategies  to  help  owners  and  operators  share  information  with  the  federal 
government  was  a  proposal  to  exempt  the  information  they  share  from  disclosure 
under  the  Freedom  of  Information  Act  (FOIA). 

The  Freedom  of  Information  Act  (FOIA)  was  passed  to  ensure  by  statute  citizen 
access  to  government  infonnation.  Nine  categories  of  information  may  be  exempted 
from  disclosure.  Three  of  the  nine  exemptions  provide  possible  protection  against 
the  release  of  critical  infrastructure  information:  exemption  1  (national  security 
information);  exemption  3  (information  exempted  by  statute);  and  exemption  4 
(confidential  business  infonnation).  Congress  has  considered  several  proposals  to 
exempt  critical  infrastructure  information  from  the  FOIA.  Generally,  the  legislation 
has  either  created  an  exemption  3  statute,  or  codified  the  standard  adopted  by  the 
D.C.  Circuit  in  exemption  4  cases. 

Both  the  House  and  Senate  bills,  H.R.  5005  and  S.  2452,  that  would  establish 
the  new  Department,  include  a  FOIA  exemption.  Significant  differences  exist 
between  the  bills  regarding  the  scope  of  the  information  protection;  the  type  of 
information  covered  and  exempted  from  FOIA;  the  other  purposes  authorized  for 
use  or  disclosure  of  the  information;  the  disclosure  of  information  with  the  consent 
of  the  submitter;  the  permissibility  of  disclosures  of  related  infonnation  by  other 
agencies;  immunity  from  civil  liability;  preemption;  and  criminal  penalties. 

Some  question  the  necessity  of  a  FOIA  exemption.  Public  interest  groups  argue 
that  the  language  in  the  House  bill  is  far  too  broad  and  would  allow  a  wide  range  of 
information  to  be  protected  from  disclosure  (including  information  previously 
available  under  FOIA),  and  that  existing  FOIA  exemptions  and  case  law  provide 
sufficient  protections.  They  tend  to  favor  the  more  limited  protections  proposed  in 
the  Senate  bill.  Public  interest  groups  are  also  concerned  that  the  provision  which 
bars  use  of  the  protected  information  in  civil  actions  in  the  House  bill  would  shield 
owners  and  operators  from  liability  under  antitrust,  tort,  tax,  civil  rights, 
environmental,  labor,  consumer  protection,  and  health  and  safety  laws.  Owners  and 
operators  of  critical  infrastructures  insist  that  the  current  law  does  not  provide  the 
certainty  of  protection  needed  to  protect  their  information.  While  they  view  the 
Senate  bill  as  a  workable  compromise,  they  hope  to  gain  some  of  the  additional 
protections  proposed  in  the  House  bill.  This  report  will  be  updated. 
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Critical  Infrastructure  Information  Disclosure 
and  Homeland  Security 


Introduction  and  Background 

Certain  socio-economic  activities  are  vital  to  the  day-to-day  functioning  and 
security  of  the  country;  for  example,  transportation  of  goods  and  people, 
communications,  banking  and  finance,  and  the  supply  of  electricity  and  water.  These 
activities  and  services  have  been  referred  to  as  components  of  the  nation’s  critical 
infrastructure.  Domestic  security  and  our  ability  to  monitor,  deter,  and  respond  to 
outside  hostile  acts  also  depend  on  some  of  these  activities  as  well  as  other  more 
specialized  activities  like  intelligence  gathering,  law  enforcement,  and  military 
forces.  Serious  disruption  in  these  activities  and  capabilities  could  have  a  major 
impact  on  the  country’s  well-being. 

In  July  1996,  President  Clinton  established  the  President’s  Commission  on 
Critical  Infrastructure  Protection  (PCCIP).1  The  Commission  was  tasked  with 
assessing  the  vulnerabilities  of  the  country’s  critical  infrastructures  and  proposing 
a  strategy  for  protecting  them.  In  its  final  1997  report,2  the  Commission  stated  that 
the  “...two-way  sharing  [of]  information  is  indispensable  to  infrastructure  assurance,” 
and  that  “increasing  the  sharing  of  strategic  information  within  each  infrastructure, 
across  different  sectors,  and  between  sectors  and  the  government  will  greatly  assist 
efforts  of  owners  and  operators  to  identify  their  vulnerabilities  and  acquire  tools 
needed  for  protection.”  According  to  the  Commission,  the  exchange  of  infonnation 
is  also  necessary  to  develop  an  analytic  capability  to  examine  information  about 
incidents,  vulnerabilities,  and  other  intelligence  information  to  determine  whether 
events  are  related  and  can  be  used  possibly  to  recognize  or  predict  an  attack. 

The  Commission  also  noted  that  there  is  a  reluctance  on  the  part  of  the  private 
sector  and  the  government  to  share  information  related  to  vulnerabilities  or  incidents 
needed  to  plan  for  and  effect  adequate  protections.  The  private  sector  is  reluctant  to 
submit  information  to  the  government  related  to  vulnerabilities  or  incidents  that 
might  damage  its  reputation,  weaken  its  competitive  position,  lead  to  costly 
investigations,  be  used  inappropriately,  or  expose  it  to  liability  as  a  result  of 
disclosure  by  the  government  of  confidential  business  information.  The  government 
is  reluctant  to  disclose  threat  information  that  might  compromise  intelligence 
activities  or  investigations. 


1  Executive  Order  13010 — Critical  Infrastructure  Protection.  Federal  Register,  July  17, 
1996.  Vol.  61,  No.  138.  pp.  37347-37350. 

2  Critical  Foundations:  Protecting  America’s  Infrastructures.  The  Report  of  the  President’s 
Commission  on  Critical  Infrastructure  Protection.  Washington,  D.C.  October,  1997. 


CRS-2 


The  first  objective  of  the  Commission’s  recommended  Strategy  for  Action  was 
to  promote  a  partnership  between  government  and  infrastructure  owners  and 
operators  that  would  increase  the  sharing  of  information  relating  to  infrastructure 
threats,  vulnerabilities,  and  interdependencies.  The  Commission  proposed 
developing  an  Information  Sharing  and  Analysis  Center  (ISAC)  that  would  consist 
of  government  and  private  sector  representatives  working  together  to  receive 
information  from  all  sources,  analyze  it,  draw  conclusions  about  vulnerabilities  or 
incidents  within  the  infrastructures,  and  inform  government  and  private  sector  users. 
It  also  recognized  that,  in  order  to  facilitate  the  exchange  of  information,  the  private 
sector  would  need  assurances  that  its  confidential  information  would  be  protected. 
The  Commission  noted  that  this  might  require  that  a  legal  vehicle  be  established 
within  the  critical  infrastructure  infonnation  sharing  mechanism  that  would  protect 
confidential  infonnation,  and  examined  the  ramifications  of  different  approaches  and 
strategies  related  to  the  federal  government’s  protection  of  private  sector 
information.  It  briefly  discussed  some  pros  and  cons  associated  with  the  creation  of 
a  FOIA  exemption  3  statute  for  critical  infrastructure  infonnation.  Under  exemption 
3  of  the  Freedom  of  Information  Act  (FOIA),  5  U.S.C.  552  et  seq.,  information 
protected  from  disclosure  under  other  statutes  is  also  exempt  from  public  disclosure 
under  FOIA.3 

In  response  to  the  Commission’s  report,  President  Clinton  released  Presidential 
Decision  Directive  No.  63  (PDD-63).4  The  Directive  instructed  the  National 
Coordinator  for  Security,  Infrastructure  Protection  and  Counter-Terrorism  and  other 
government  officials  to  consult  with  private  sector  owners  and  operators  of  critical 
infrastructures,  and  encourage  the  creation  of  a  private  sector  information  analysis 
and  sharing  center  as  envisaged  by  the  PCCIP.  Although  the  Directive  did  not 
address  FOIA  explicitly,  it  did  direct  the  National  Coordinator  to  undertake  studies 
to  examine:  liability  issues  arising  from  participation  by  private  sector  companies  in 
the  information  sharing  process;  existing  legislative  impediments  to  information 
sharing  with  an  eye  toward  removing  those  impediments;  and  the  improved 
protection,  including  secure  dissemination  of  industry  trade  secrets,  of  other 
confidential  business  data,  law  enforcement  information  and  evidentiary  material, 
classified  national  security  information,  unclassified  material  disclosing 
vulnerabilities  of  privately  owned  infrastructures  and  apparently  innocuous 
information  that,  in  the  aggregate,  would  be  imprudent  to  disclose.  The  Clinton 
Administration,  however,  never  adopted  a  formal  position  on  the  desirability  of  an 
exemption  to  FOIA  or  the  necessity  for  any  additional  confidentiality  protections. 

In  connection  with  the  implementation  of  PDD-63,  a  number  of  industrial 
sectors  which  own  and/or  operate  critical  infrastructures  fonned  ISACs,  and  entered 
into  arrangements  with  the  federal  government  to  share  information.  However,  the 
General  Accounting  Office  reported  in  April  2001,  that  very  little  or  no  formalized 


3  Exemption  3  exempts  from  disclosure  information  specifically  exempted  by  statute,  as 
long  as  the  statute  leaves  no  discretion  on  disclosure  and  that  the  statute  specifies  particular 
criteria  for  withholding  or  refers  to  particular  types  of  matters  to  be  withheld.  5  U.S.C.  § 
552(b)(3).  See  the  next  section  of  this  report  for  further  discussion. 

4  The  White  House,  Protecting  America’s  Critical  Infrastructures:  Presidential  Decision 
Directive  63  (May  1998).  Available  at  [http://www.ciao.gov/resource/paper598.pdf]. 
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flow  of  information  has  occurred  from  the  private  sector  to  the  federal  government.5 
According  to  the  Director  of  the  National  Infrastructure  Protection  Center,  the 
organization  with  which  industry  is  to  share  information,  one  of  the  reasons  for  this 
is  the  uncertainty  regarding  FOIA  exemptions.6  Similarly,  the  Partnership  for 
Critical  Infrastructure  Security,  a  cross-industry  group  formed  to  facilitate 
communication  among  industry  sectors,  has  stated  that  it  is  not  clear  that  any  of  the 
existing  FOIA  exemptions  provide  the  certainty  of  protection  that  many  companies 
require  before  disclosing  threat  and  vulnerability  infonnation  to  the  government.7 

In  the  106th  Congress,  both  H.R.  4246  (Davis/Moran)  and  S.  3188  (Kyi) 
included  an  exemption  from  FOIA  for  cyber  security  information  voluntarily 
provided  to  the  federal  government,  and  prohibited  the  information  from  being  used, 
by  either  the  federal  government  or  a  third  party,  in  any  civil  action.8  Neither  bill 
was  reported  out  of  committee. 

During  the  107th  Congress,  two  bills  were  introduced  with  many  of  the  same 
provisions:  H.R.  2435  (Davis)  and  S.  1456  (Bennett/Kyl)  would  exempt  information 
voluntarily  submitted  to  the  federal  government  in  connection  with  critical 
infrastructure  protection  from  FOIA,6  and  provide  protection  against  civil  action. 
Both  bills  remain  in  committee.  In  an  effort  to  reconcile  the  two  bills,  S.  1456  was 
modified,  taking  some  of  the  House  language.  The  rewritten  bill,  however,  was 
never  introduced.  The  Bush  Administration  offered  qualified  support  for  both  bills. 10 
In  President  Bush’s  proposal  to  establish  a  new  Department  of  Homeland  Security, 
part  of  which  proposes  establishing  a  critical  infrastructure  protection  function,  a 
FOIA  exemption  was  included  for  information  held  by  the  Department. 
Subsequently,  both  the  House  and  Senate  bills,  H.R.  5005  and  S.  2452,  that  would 
establish  the  new  Department,  narrowed  the  FOIA  exemption  to  cover  only 
information  regarding  critical  infrastructure  vulnerabilities  and  threats.  The  House 
passed  H.R.  5005  on  July  27,  2002.  S.  2452  is  scheduled  for  floor  consideration 
September  3,  2002. 


5  Critical  Infrastructure  Protection.  Significant  Challenges  in  Developing  National 
Capabilities.  United  States  General  Accounting  Office.  GAO-0 1-323.  April  2001.  See 
Chapter  4. 

6  Id.  Appendix  1,  p.99.  It  should  be  noted  that,  according  to  the  GAO,  another  reason  the 
private  sector  has  not  shared  information  with  the  government  is  the  lack  of  agreement  on 
what  type  of  infonnation  is  needed. 

7  Partnership  for  Critical  Infrastructure  Protection.  Working  Group  3.  Public  Policy  White 
Paper,  p.  5.  Available  at  [http://www.pcis.org/WG3/WG-3_Public_Policy_WP.pdf]. 

8  See  CRS  Report  RL3  0 153,  Critical  Infrastructures:  Background  and  Early  Implementation 
of  PDD-63. 

9  The  Senate  bill  expanded  the  type  of  information  to  be  protected  to  include  information 
related  to  the  physical  security  of  critical  infrastructures,  referring  to  protected  information 
as  “critical  infrastructure  information,”  specified  the  agencies  covered  by  the  legislation,  and 
prescribed  how  the  information  may  be  used. 

10  White  House  Official  Outlines  Cyber  Security  Initiatives.  Maureen  Sirhal.  National 
Journal’s  Technology  Daily.  January  25,  2002. 
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For  information  on  the  homeland  security  proposals,  See  CRS Report  RL3 15 13, 
Homeland  Security:  Side-By-Side  Comparison  of  H.R.  5005  and  S.  2452,  107th 
Congress. 


Freedom  of  Information  Act 

In  1966,  during  floor  debate  on  passage  of  the  Freedom  of  Information  Act 
(FOIA),11  Representative  Rumsfield  quoted  James  Madison  when  he  said, 

Knowledge  will  forever  govern  ignorance.  And  a  people  who  mean  to  be 
their  own  governors,  must  arm  themselves  with  the  power  knowledge 
gives.  A  popular  government  without  popular  infonnation  or  the  means 
of  acquiring  it,  is  but  a  prologue  to  a  farce  or  a  tragedy,  or  perhaps  both.12 

As  Congress  debates  homeland  security  legislation  in  2002,  the  sentiments  expressed 
by  Madison  in  1 822  are  prescient  today.  The  populace  desires  knowledge  about  the 
activities  of  its  government  in  order  to  ensure  accountability  and  oversight.  The 
government  desires  information  from  owners  and  operators  of  critical  infrastructures 
in  order  to  protect  persons  and  assets  in  the  war  on  terrorism.  The  terrorist  attacks 
of  September  1 1  have  prompted  a  reevaluation  of  how  to  balance  public  access  to 
information  with  the  need  for  safety  and  security. 

The  federal  government,  since  its  beginnings,  has  delegated  to  agency  heads  the 
basic  authority  to  control  the  papers  and  documents  of  their  departments.  Through 
the  Housekeeping  Statute  of  1789,  federal  agencies  have  kept  control  of  the 
disclosure  of  their  files.12  The  Administrative  Procedure  Act  (APA)  of  1946  had  a 
slight  impact  upon  departmental  control  of  agency  information.14  Instances  were 
documented,  however,  where  both  the  Housekeeping  Statute  and  the  Administrative 
Procedure  Act  had  been  used  as  excuses  for  withholding  infonnation,  and  concern 
mounted  that  the  APA  had  become  a  loophole  for  agency  secrecy  permitting  agency 
heads  to  exercise  broad,  unrestrained  powers  of  a  discretionary  nature.  The 
Housekeeping  Statute  was  amended  to  clarify  that  it  does  not  authorize  withholding 
information  from  the  public  or  limiting  the  availability  of  records  to  the  public.  The 
amendment  of  the  Housekeeping  Statute  did  not  produce  the  results  sought  by 
advocates  of  greater  public  access  to  public  information.  The  House  Government 
Information  Subcommittee  proposed  a  freedom  of  infonnation  bill  that  created  a 
right  of  any  person  to  use  the  courts  to  enforce  the  right  of  access  to  federal 
information.  Although  the  proposal  was  well  received  by  the  press,  federal  agencies 
were  resistant.  The  Senate  passed  S.  1160  in  1965,  the  House  in  1966,  and  the 


11  5U.S.C,  §  552  etseq. 

12  James  Madison,  1822,  quoted  by  Rep.  Rumsfeld  in  House  debate  on  passage  of  Freedom 
of  Information  Act,  114  Cong.  Rec.  13,  654  (1966). 

13  “The  head  of  an  Executive  department  or  military  department  may  prescribe  regulations 
for  the  government  of  his  department,  the  conduct  of  its  employees,  the  distribution  and 
performance  of  its  business,  and  the  custody,  use,  and  preservation  of  its  records,  papers,  and 
property.  This  section  does  not  authorize  withholding  information  from  the  public  or  limiting 
the  availability  of  records  to  the  public.”  5  U.S.C.  §  301. 

14  60  Stat.  238. 
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Freedom  of  Infonnation  Act  (FOIA)  was  signed  into  law  by  President  Johnson  on 
July  4,  1966.  The  FOIA  was  subsequently  amended  in  1974,  1986,  and  1996  for 
several  reasons:  ambiguity  in  the  text  and  legislative  history;  agency  and 
Department  of  Justice  resistance  to  broader  disclosure;  increased  oversight  by 
Congress;  court  interpretations  of  the  statute  and  its  procedural  requirements  and 
exemptions;  time  delays  by  agencies  in  responding  to  requests  for  access  to 
information  and  delaying  tactics  by  agencies  in  litigation;  to  clarify  the  scope  of  the 
exemptions  in  response  to  Supreme  Court  decisions  interpreting  the  Act’s  provisions; 
and  to  accommodate  technological  advances  related  to  the  methods  prescribed  for 
public  access. 

The  purpose  of  the  Freedom  of  Infonnation  Act  (FOIA)  was  to  ensure  by  statute 
citizen  access  to  government  infonnation.  The  FOIA  establishes  for  any 
person — corporate  or  individual,  regardless  of  nationality — presumptive  access  to 
existing,  unpublished  agency  records  on  any  topic.  The  law  specifies  nine  categories 
of  information  that  may  be  exempted  from  the  rule  of  disclosure.  The  exemptions 
pennit,  rather  than  require,  the  withholding  of  the  requested  infonnation.  Records 
which  are  not  exempt  under  one  or  more  of  the  Act’s  nine  exemptions  must  be  made 
available.  If  a  record  has  some  exempt  material,  the  Act  provides  that  any 
reasonably  segregable  portion  of  the  record  must  be  provided  to  any  person 
requesting  such  record  after  deletion  of  the  portions  which  are  exempt.  Disputes 
over  the  accessibility  of  requested  records  may  be  reviewed  in  federal  court.  Fees  for 
search,  review,  or  copying  of  materials  may  be  imposed;  also,  for  some  types  of 
requesters,  fees  may  be  reduced  or  waived.  The  FOIA  was  amended  in  1996  to 
provide  for  public  access  to  information  in  an  electronic  fonn  or  format.  In  2001, 
agency  annual  reports  indicated  that  they  received  approximately  1 .9  million  FOIA 
requests. 

With  respect  to  the  Freedom  of  Information  Act,  three  of  the  nine  exemptions 
from  public  disclosure  provide  possible  protections  against  the  release  of  homeland 
security  and  critical  infrastructure  information:  exemption  1  (national  security 
information),  exemption  3  (information  exempted  by  statute),  and  exemption  4 
(confidential  business  information).15 

FOIA  Exemption  1  -  National  Security  Information 

Exemption  1  of  the  FOIA  protects  from  disclosure  national  security  infonnation 
concerning  the  national  defense  or  foreign  policy,  provided  that  it  has  been  properly 
classified  in  accordance  with  the  substantive  and  procedural  requirements  of  an 
executive  order.16  As  of  October  14, 1995,  the  executive  order  in  effect  is  Executive 
Order  12,958  issued  by  President  Clinton  ( and  amended  in  1999  by  Executive  Order 
13, 142). 17  Section  1.5  of  the  order  specifies  the  types  of  infonnation  that  may  be 
considered  for  classification:  military  plans,  weapons  systems,  or  operations;  foreign 
government  information;  intelligence  activities,  sources  or  methods,  or  cryptology; 
foreign  relations  or  foreign  activities,  including  confidential  sources;  scientific, 


15  See  5  U.S.C,  §  552(b). 

16  5  U.S.C.  §  552(b)(1). 

17  3  C.F.R.  333  (1996),  reprinted  in  50  U.S.C.  §  435  note. 
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technological,  or  economic  matters  relating  to  national  security;  U.S.  government 
programs  for  safeguarding  nuclear  materials  and  facilities;  or  vulnerabilities  or 
capabilities  of  systems,  installations,  projects,  or  plans  relating  to  national  security. 
The  categories  of  information  that  may  be  classified  seemingly  appear  broad  enough 
to  include  homeland  security  information  concerning  critical  infrastructures.  Under 
E.O.  12,958  information  may  not  be  classified  unless  “its  disclosure  reasonably 
could  be  expected  to  cause  damage  to  the  national  security.”18 

On  March  19,  2002,  the  White  House  Chief  of  Staff  issued  a  directive  to  the 
heads  of  all  federal  agencies  addressing  the  need  to  protect  information  concerning 
weapons  of  mass  destruction  and  other  sensitive  homeland  security-related 
information.19  The  implementing  guidance  for  the  directive  concerns  sensitive 
homeland  security  information  that  is  currently  classified,  and  previously 
unclassified  or  declassified  information.20  The  guidance  provides  that  with  respect 
to  such  information  currently  classified,  the  classified  status  of  such  information 
should  be  maintained  in  accordance  with  Executive  Order  12,958.  This  includes 
extending  the  duration  of  classification  as  well  as  exempting  such  information  from 
automatic  declassification  as  appropriate.  With  respect  to  previously  unclassified  or 
declassified  information  concerning  weapons  of  mass  destruction  and  other  sensitive 
homeland  security-related  infonnation,  the  implementing  guidance  provides  that,  to 
the  extent  it  has  never  been  publicly  disclosed  under  proper  authority,  it  may  be 
classified  or  reclassified  pursuant  to  Executive  Order  12,958.  If  the  information  has 
been  subject  to  a  previous  request  for  access,  such  as  a  FOIA  request,  classification 
or  reclassification  is  subject  to  the  special  requirements  of  the  executive  order. 

Section  792  of  H.R.  5005,  the  Homeland  Security  Act  of 2002,  as  passed  by  the 
House  on  July  27, 2002,  directs  the  President  to  prescribe  and  implement  procedures 
applicable  to  all  federal  agencies  to  share  relevant,  appropriate  homeland  security 
information  among  federal  agencies,  including  the  Department  of  Homeland 
Security,  and  with  appropriate  state  and  local  personnel;  to  identify  and  safeguard 
sensitive,  unclassified  homeland  security  information;  to  determine  whether,  how, 
and  to  what  extent  to  remove  classified  homeland  security  infonnation,  and  to 
determine  with  whom  such  homeland  security  infonnation  should  be  shared  after 
such  classified  information  is  removed.  H.R.  5005  specifically  states  that  the 
substantive  requirements  for  classification  are  not  changed.  S.  2452,  agreed  to  by  the 
Senate  Governmental  Affairs  Committee  on  July  25,  2002,  does  not  have  a  parallel 
provision. 


18  Exec.  Order  No.  12.958,  §  1.2(a)(4). 

19  See  White  House  Memorandum  for  Heads  of  Executive  Departments  and  Agencies 
Concerning  Safeguarding  Information  Regarding  Weapons  of  Mass  Destruction  and  Other 
Sensitive  Documents  Related  to  Homeland  Security  (Mar.  19, 2002);  reprinted  in  FOIA  Post 
(posted  3/21/02). 

20  See  Memorandum  from  Acting  Director  of  Information  Security  Oversight  Office  and  Co- 
Directors  of  Office  of  Information  and  Privacy  to  Departments  and  Agencies  (March  31, 
2002);  reprinted  in  FOIA  Post  (posted  3/21/02). 
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FOIA  Exemption  3  -  Information  Exempt  by  Statute 

Under  exemption  3  of  the  FOIA,  infonnation  protected  from  disclosure  under 
other  statutes  is  also  exempt  from  public  disclosure.21  Exemption  3  provides  that  the 
FOIA  does  not  apply  to  matters  that  are: 

specifically  exempted  from  disclosure  by  statute  .  .  .  provided  that  such 
statute  (A)  requires  that  the  matters  be  withheld  from  the  public  in  such  a 
manner  as  to  leave  no  discretion  on  the  issue,  or  (B)  establishes  particular 
criteria  for  withholding  or  refers  to  particular  types  of  matters  to  be 
withheld.22 

Exemption  3  allows  the  withholding  of  information  prohibited  from  disclosure  by 
another  statute  only  if  the  other  statute  meets  any  one  of  the  three  criteria:  (1)  it 
requires  that  the  records  be  withheld  (/.  e. ,  no  agency  discretion);  (2)  grants  discretion 
on  whether  to  withhold  but  provides  specific  criteria  to  guide  the  exercise  of  that 
discretion;  or  (3)  describes  with  sufficient  specificity  the  types  of  records  to  be 
withheld.  To  support  an  exemption  3  claim,  the  information  requested  must  fit 
within  a  category  of  infonnation  that  the  statute  authorizes  to  be  withheld.  As  with 
all  FOIA  exemptions,  the  government  bears  the  burden  of  proving  that  requested 
records  are  properly  withheld.  Numerous  statutes  have  been  held  to  quality  as 
exemption  3  statutes  under  the  exemption’s  first  subpart  -  statutes  that  require 
information  to  be  withheld  and  leave  the  agency  no  discretion.  Several  statutes  have 
failed  to  qualify  under  exemption  3  because  too  much  discretion  was  vested  in  the 
agency,  or  because  the  statute  lacked  specificity  regarding  the  records  to  be 
withheld.23  Unlike  other  FOIA  exemptions,  if  the  infonnation  requested  under  FOIA 
meets  the  withholding  criteria  of  exemption  3,  the  information  must  be  withheld. 

Congress  has  considered  a  number  of  proposals  that  address  the  disclosure 
under  FOIA  of  cyber  security  information,  of  infonnation  maintained  by  the 
Department  of  Homeland  Security,  and  of  critical  infrastructure  information 
voluntarily  submitted  to  the  Department  of  Homeland  Security.  Generally,  the 
legislation  has  specifically  exempted  the  covered  information  from  disclosure  under 
FOIA,  in  effect  creating  an  exemption  3  statute  for  purposes  of  FOIA. 

FOIA  Exemption  4  -  Confidential  Business  Information 

Exemption  4  of  FOIA  exempts  from  disclosure  “trade  secrets  and  commercial 
or  financial  information  obtained  from  a  person  and  privileged  or  confidential.”24 
The  latter  category  of  information  (commercial  infonnation  that  is  privileged  or 
confidential)  is  relevant  to  the  issue  of  the  federal  government’s  protection  of  private 
sector  critical  infrastructures  infonnation.  To  fall  within  this  second  category  of 


21  5  U.S.C,  §  552(b)(3). 

22  5  U.S.C,  §  552(b)(3). 

23  See  CRS  Congressional  Distribution  Memorandum,  American  Law  Division,  Freedom  of 
Information  Act:  Statutes  Invoked  under  Exemption  3  (July  1 1 ,  2002) 


24  5  U.S.C,  §  552(b)(4). 
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exemption  4,  the  information  must  satisfy  three  criteria.  It  must  be:  a)  commercial 
or  financial;  b)  obtained  from  a  person;  and  c)  confidential  or  privileged.  The  D.C. 
Circuit  has  held  that  the  terms  “commercial  or  financial”  should  be  given  their 
ordinary  meaning,  and  that  records  are  commercial  if  the  submitter  has  a 
“commercial  interest”  in  them.25  The  second  criteria,  “obtained  from  a  person,” 
refers  to  a  wide  range  of  entities.26  However,  infonnation  generated  by  the  federal 
government  is  not  “obtained  from  a  person,”  and  as  a  result  is  excluded  from 
exemption  4's  coverage.27 

Most  exemption  4  cases  have  involved  a  dispute  over  whether  the  information 
was  “confidential.”  In  1974,  the  D.C.  Circuit  in  National  Parks  and  Conservation 
Association  v.  Morton,  held  that  the  test  for  confidentiality  was  an  objective  one.28 
It  held  that  neither  the  fact  that  a  submitter  would  not  customarily  make  the 
information  public,  nor  an  agency’s  promises  of  confidentiality  were  enough  to 
justify  confidentiality.  National  Parks  enunciated  a  two-part  test:  commercial 
information  is  confidential  “if  disclosure  of  the  infonnation  is  likely  to  have  either 
of  the  following  effects:  (1)  to  impair  the  government’s  ability  to  obtain  necessary 
information  in  the  future;  or  (2)  to  cause  substantial  harm  to  the  competitive  position 
of  the  person  from  whom  the  information  was  obtained.”29  These  criteria  are 
commonly  referred  to  as  Test  1  and  Test  2. 30 

In  1992,  in  Critical  Mass  Energy  Project  v.  NRC,31  after  examining  arguments 
in  favor  of  overturning  National  Parks,  the  D.C.  Circuit  reaffirmed  application  of  the 
National  Parks  test  based  on  the  principle  of  stare  decisis  -  which  counsels  against 
overruling  established  precedent.  The  plaintiff  was  seeking  reports  which  a  utility 
industry  group  prepared  and  gave  voluntarily  to  the  NRC.  The  agency  did,  however, 
have  the  authority  to  compel  submission.  The  full  Circuit  Court  of  Appeals  clarified 
the  scope  and  application  of  the  National  Parks  test.  The  court  limited  its 
application  “to  the  category  of  cases  to  which  [they  were]  first  applied;  namely  those 
in  which  a  FOIA  request  is  made  for  commercial  or  financial  information  a  person 
was  obliged  to  furnish  to  the  Government.”32  The  court  established  a  new  test  for 


25  Public  Citizen  Health  Research  Group  v.  FDA,  704  F.2d  1280,  1290  (D.C.  Cir.  1983). 

26  See,  Nadlerv.  FDIC ,  92  F.3d  93,  95  (2d  Cir.  1996)(term  “person”  includes  “individual, 
partnership,  corporation,  association,  or  public  or  private  organization  other  than  an  agency” 
(quoting  definition  found  in  Administrative  Procedure  Act,  5  U.S.C.  §  551(2)). 

27  See,  Allnet  Communications  Servs.  v.  FCC,  800  F.  Supp.  984,  988  (D.D.C.  1992). 

28  498  F.2d  765  (D.C,  Cir.  1974). 

29  Id.  at  770. 

30  See  also,  Niagara  Power  Corp.  v.  United  States  Department  of  Energy!,  169F.3d  16(D.C, 
Cir.  1999)(court  held  that  material  fact  existed  as  to  whether  disclosure  of  fuel  consumption 
and  power  generation  figures  provided  pursuant  to  statute  would  impair  agency’s  ability  to 
collect  information,  and  whether  disclosure  was  likely  to  cause  plants  substantial  harm). 

31  975  F.2d  871,  879-80  (D.C,  Cir.  1992 )(en  banc)(  “Critical Mass  II”),  cert,  denied,  1 13  S. 
Ct.  1579(1993). 

32 


Id.  at  880. 
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confidentiality  when  the  information  is  submitted  voluntarily;33  the  infonnation  is 
exempt  from  disclosure  if  the  submitter  can  show  that  it  does  not  customarily  release 
the  infonnation  to  the  public.34  Under  the  Critical  Mass  decision,  one  standard  (the 
traditional  National  Parks  tests)  applies  to  any  information  that  a  submitter  “is 
required  to  supply,”  while  a  broader  exemption  4  standard  (a  new  “customary 
treatment”  test)  applies  to  any  infonnation  that  is  submitted  to  an  agency  on  a 
voluntary  basis.  The  burden  of  establishing  the  submitter’s  custom  remains  with  the 
agency  seeking  to  withhold  the  records.  Applying  the  customary  treatment  test  to 
the  infonnation  at  issue  (utility  industry  group  reports  voluntarily  submitted),  the 
D.C.  Circuit  agreed  with  the  district  court’s  conclusion  that  the  reports  were 
commercial;  that  they  were  provided  to  the  agency  on  a  voluntary  basis;  and  that  the 
submitter  did  not  customarily  release  them  to  the  public.  Thus,  the  reports  were 
found  to  be  confidential  and  exempt  from  disclosure  under  exemption  4. 

The  key  issue  raised  by  Critical  Mass  is  the  distinction  between  “required”  and 
“voluntary”  information  submissions.  In  its  decision,  the  court  did  not  expressly 
define  the  two  terms.  The  Department  of  Justice  has  issued  policy  guidance  on  the 
distinction  between  infonnation  required  and  information  voluntarily  submitted 
under  Critical  Mass,  and  has  taken  the  position  that  the  submission  of  records  in 
instances  such  as  the  bidding  on  government  contracts  is  mandatory  rather  than 
voluntary.35  The  basic  principles  developed  by  the  Justice  Department  are  that  a 
submitter’s  voluntary  participation  in  an  activity  does  not  determine  whether  any 
information  submission  made  in  connection  with  that  activity  is  “voluntary;”  that 
Critical  Mass  determinations  should  be  made  according  to  the  circumstances  of 
information  submission;  that  infonnation  submissions  can  be  “required”  by  a  range 
of  legal  authorities,  including  infonnal  mandates  that  call  for  the  submission  of 
information  as  a  condition  of  dealing  with  the  government  or  of  obtaining  a 
government  benefit;  and  that  the  existence  of  agency  authority  to  require  an 
information  submission  does  not  automatically  mean  that  the  submission  is 
“required.”36  The  decision  in  Critical  Mass  has  generated  a  great  deal  of 
commentary.37  In  addition,  there  are  many  cases  where  courts  have  applied  the 
Critical  Mass  distinction  between  voluntary  and  required  submissions.38 


33  With  respect  to  critical  infrastructure  information,  the  federal  government  seeks  to  ensure 
that  it  is  able  to  obtain  the  information  from  the  private  sector  on  a  voluntary  basis. 

34  Id.  at  879. 

35  See  FOIA  Update,  Vol.  XIV,  No.  2,  at  3-5  (“OIP  Guidance:  The  Critical  Mass  Distinction 
Under  Exemption  4"). 

36  Id. 

17  See,  e.g.,  Rocco  J.  Maffei,  The  Impact  of  FOIA  after  Critical  Mass,  22  Pub.  Cont.  L.  J.  757 
(1993);  G.  Branch  Taylor,  The  Critical  Mass  Decision:  A  Dangerous  Blow  to  Exemption  4 
Litigation,  2  CommLaw  Conspectus  133  (1994). 

38  See,  e.g..,  Lykes  v.  Bros.  S.S.  v.  Pena,  No.  92-2780,  slip  op.  at  8-11  (D.D.C.  Sept.  2, 
1993)(“under  Critical  Mass,  submissions  that  are  required  to  realize  the  benefits  of  a 
voluntary  program  are  to  be  considered  mandatory”);  Lee  v.  FDIC,  923  F.  Supp.  451,  454 
(S.D.N.Y.  1996)(when  documents  were  “required  to  be  submitted”  in  order  to  get 
government  approval  to  merge  two  banks,  court  rejects  agency’s  attempt  to  nonetheless 
characterize  submission  as  “voluntary”);  AGS  Computers,  Inc.  v.  United  States  Dep’t  of 

(continued...) 
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Nonetheless,  the  Critical  Mass  voluntary  vs.  required  standard  has  not  been  widely 
adopted  by  the  other  circuits  that  have  endorsed  the  National  Parks  test. 

Executive  Order  12,600  ( Predisclosure  Notification  Procedures  for 
Confidential  Commercial  Information),  issued  in  1987,  requires  each  federal  agency 
to  establish  procedures  to  notify  submitters  of  confidential  commercial  information 
whenever  an  agency  “determines  that  it  may  be  required  to  disclose”  such 
information  under  the  FOIA.39  The  submitter  is  provided  an  opportunity  to  submit 
objections  to  the  proposed  disclosure.40  If  the  agency  decides  to  release  the 
information  over  the  objections  of  the  submitter,  the  submitter  may  seek  judicial 
review  of  the  propriety  of  the  release,  and  the  courts  will  entertain  a  “reverse  FOIA” 
suit  to  consider  the  confidentiality  rights  of  the  submitter.41 

Another  area  of  concern  under  exemption  4  jurisprudence  is  the  so-called 
mosaic  effect  which  recognizes  that  an  individual  piece  of  information,  which  in  and 
of  itself  may  not  qualify  as  confidential  business  infonnation,  may  be  combined  with 
other  information  to  cause  substantial  competitive  hann.  Private  information 
hawkers  routinely  engage  in  the  business  of  assembling  all  of  the  pieces  of 
information.  Courts  have  applied  the  mosaic  effect  to  prevent  the  disclosure  of 
confidential  business  information.42 

As  previously  noted  with  regard  to  critical  infrastructure  infonnation,  the 
federal  government  seeks  to  ensure  that  it  is  able  to  obtain  information  from  the 
private  sector  on  a  voluntary  basis.  S.  2452,  the  National  Homeland  Security  and 
Combating  Tenorism  Act  of  2002,  essentially  codifies  the  voluntary/required  rule 
from  the  D.C.  Circuit’s  decision  in  Critical  Mass  v.  NRC,  and  applies  it  to  critical 
infrastructure  information  voluntarily  submitted  by  the  private  sector,  and  not 
customarily  available  to  the  public,  to  the  new  Department  of  Homeland  Security. 
Codification  of  the  Critical  Mass  standard  could  eliminate  differences  in  treatment 
in  the  federal  courts  of  confidential  business  infonnation  related  to  critical 
infrastructure. 


38  (...continued) 

Treasury,  No.  92-2714,  slip  op.  at  10  (D.N.J.  Sept.  16,  1993)(submitter’s  submission  of 
documents  to  agency  during  a  meeting  was  done  voluntarily  because  there  was  no 
“controlling  statute,  regulation,  or  written  order”);  Center  for  Auto  Safety  v.  National 
Highway  Traffic  Safety  Admin.,  93  F.  Supp.2d  1  (D.D.C.  Feb.  28,  2000),  remanded  by 
Center  for  Auto  Safety  v.  National  Highway  Traffic  Safety  Admin.,  244  F.3d  144  (D.C.Cir. 
Mar.  30,2001  )(information  on  airbag  systems  submitted  in  response  to  agency  ’  s  request  was 
a  voluntary  submission  because  agency  lacked  legal  authority  to  enforce  its  request  for 
information). 

39  3  C.F.R.  235  (1988),  reprinted  in  5  U.S.C.  §  552  note. 

40  Exec.  Order  No.  12,600,  §  4. 

41  Lee  v.  FDIC,  923  F.  Supp.  451,  455  (S.D.N.Y.  1996). 

42  See,  e.g.,  Tinken  Co.  v.  U.S.  Customs  Serive,  491  F.  Supp.  557  (D.D.C.  1980). 
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Legislative  Responses 

FOIA  Exemption  in  the  Administration’s  Proposal  for 
Homeland  Security 

The  Bush  Administration  took  its  support  a  step  further  in  its  legislative 
proposal  establishing  the  new  Department  of  Homeland  Security  by  proposing  to 
exempt  from  disclosure  under  FOIA  critical  infrastructure  information  voluntarily 
submitted  to  the  government  by  non-federal  entities.  Section  204  of  the  proposal 
stated: 

Infonnation  provided  voluntarily  by  non-federal  entities  or  individuals  that 
relates  to  infrastructure  vulnerabilities  or  other  vulnerabilities  to  terrorism 
and  is  or  has  been  in  the  possession  of  the  Department  [of  Homeland 
Security]  shall  not  be  subject  to  section  552  of  title  5,  United  States  Code. 

This  proposed  language  did  not  provide  additional  specificity,  and  was  criticized  by 
the  FOIA  requester  community  as  “casting]  a  shroud  of  secrecy  over  one  of  the 
Department  of  Homeland  Security’s  critical  functions,  critical  infrastructure 
protection.”43 

FOIA  Exemptions  in  Homeland  Security  Proposals 

When  the  President’s  legislative  proposal  was  reported  out  of  the  House  Select 
Committee  on  Homeland  Security  as  H.R.  5005  (Anney),  the  FOIA  exemption  was 
modified  and  included  in  a  separate  subtitle  (Title  VII,  Subtitle  C,  sections  721  - 
724). 44  The  Senate  Government  Affairs  Committee,  too,  voted  to  add  a  FOIA 
exemption  to  its  bill  S.  2452  (Lieberman,  section  198)  establishing  a  Department  of 
Homeland  Security.  The  FOIA  provision  in  S.  2452  is  not  as  detailed  as  the  House 
bill.  A  brief  discussion  of  the  FOIA  exemptions  in  the  two  homeland  security  bills 
follows.  A  comparison  of  the  language  regarding  FOIA  exemptions  is  included  in 
the  CRS  Report  RL31513,  Homeland  Security:  Side-By-Side  Comparison  of  H.R. 
5005  and  S.  2452,  107th  Congress. 


43  David,  Sobel,  Electronic  Privacy  Information  Center,  Testimony  Before  House 
Subcommittee  on  Oversight  and  Investigation  on  “Creating  the  Department  of  Homeland 
Security:  Consideration  of  Administration’s  Proposal.”  (July  9,  2002). 

44  On  the  House  floor,  two  amendments  to  this  section  of  the  bill  were  offered.  Amendment 
No.  24  would  have  eliminated  Subtitle  C  entirely.  Amendment  No.  25  would  have  amended 
the  definition  of  “covered  agency”  to  include  not  just  the  Department  of  Homeland  Security, 
but  any  other  agency  designated  by  the  Department  of  Homeland  Security  or  with  which  the 
Department  shares  critical  infrastructure  information.  Both  amendments  failed.  148  Cong. 
Rec.  H5845  (July  26,  2002). 
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H.R.  5005,  Title  VII,  Subtitle  C. 

Section  724  of  H.R.  5005,  the  Homeland  Security  Act  of  2002,  exempts  from 
disclosure  under  FOIA  “critical  infrastructure  information  (including  the  identity  of 
the  submitting  person  or  entity)  that  is  voluntarily  submitted  to  a  covered  agency  for 
use  by  that  agency  regarding  the  security  of  critical  infrastructure  (as  defined  in  the 
USA  PATRIOT  Act)...,45  when  accompanied  by  an  express  statement....”  The  bill 
defines  critical  infrastructure  information  to  mean  “information  not  customarily  in 
the  public  domain  and  related  to  the  security  of  critical  infrastructure  or  protected 
systems — 

(A)  actual,  potential,  or  threatened  interference  with,  attack  on, 
compromise  of,  or  incapacitation  of  critical  infrastructure  or  protected 
systems  by  either  physical  or  computer-based  attack  or  other  similar 
conduct  (including  misuse  of  or  unauthorized  access  to  all  types  of 
communications  and  data  transmission  systems)  that  violates  federal,  state, 
or  local  law,  harms  interstate  commerce  of  the  United  States,  or  threatens 
public  health  and  safety; 

(B)  the  ability  of  critical  infrastructures  or  protected  systems  to  resist  such 
interference,  compromise,  or  incapacitation,  including  any  planned  or  past 
assessment,  projection  or  estimate  of  the  vulnerability  of  critical 
infrastructure  or  a  protected  system,  including  security  testing,  risk 
evaluation  thereto,  risk  management  planning,  or  risk  audit;  or, 

(C) any  planned  or  past  operational  problem  or  solution  regarding  critical 
infrastructure. ..including  repair,  recovery,  reconstruction,  insurance,  or 
continuity  to  the  extent  it  relates  to  such  interference,  compromise,  or 
incapacitation.” 

A  “covered  agency”  is  defined  as  the  Department  of  Homeland  Security.  The 
submission  of  critical  infrastructure  information  is  considered  voluntary  if  done  in 
the  absence  of  the  Department  of  Homeland  Security  exercising  its  legal  authority 
to  compel  access  to  or  submission  of  such  infonnation.  Infonnation  submitted  to  the 
Securities  and  Exchange  Commission  pursuant  to  section  12  (i)  of  the  Securities  and 
Exchange  Act  of  1934  is  explicitly  not  protected  by  this  provision.  Nor  is 
information  disclosed  or  written  when  accompanying  the  solicitation  of  an  offer  or 
a  sale  of  securities,  nor  if  the  information  was  submitted  or  relied  upon  as  the  basis 
for  licensing  or  permitting  determinations,  or  during  regulatory  proceedings. 

Besides  exempting  from  FOIA  critical  infrastructure  information  which  has 
been  submitted  voluntarily  with  the  appropriate  express  statement  to  the  Department 
of  Homeland  Security,  the  bill  also  states  that  the  information  shall  not  be  subject  to 
any  agency  rules  or  judicial  doctrine  regarding  ex  parte  communications  with 
decision  making  officials.  The  bill  also  prohibits  such  information,  without  the 


45  “Systems  or  assets,  whether  physical  or  virtual,  so  vital  to  the  United  States  that  the 
incapacity  or  destruction  of  such  systems  and  assets  would  have  a  debilitating  impact  on 
security,  national  economic  security,  national  public  health  or  safety,  or  any  combination  of 
those  matters.”  P.L.  107-56,  section  1016. 
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written  consent  of  the  person  or  entity  submitting  such  information  in  good  faith, 
from  being  used  directly  by  the  Department  of  Homeland  Security,  any  other  federal, 
state,  or  local  authority  or  any  third  party,  in  any  civil  action.  Nor  may  the 
information,  without  written  consent  of  the  person  or  entity  submitting  such 
information,  be  used  or  disclosed  by  any  officer  or  employee  of  the  United  States 
for  any  purpose  other  than  the  purposes  of  the  subtitle,  except,  in  the  furtherance  of 
a  criminal  investigation  or  prosecution,  or  when  disclosed  to  either  House  of 
Congress,  or  to  the  Comptroller  General  or  other  authorized  General  Accounting 
Office  official,  in  the  conduct  of  official  business.  Furthermore,  any  federal  official 
or  employee  who  knowingly  publishes,  divulges,  discloses,  or  makes  known  in  any 
manner  or  to  any  extent  not  authorized  by  law,  any  protected  infonnation,  is  subject 
to  removal,  imprisonment  up  to  one  year,  and  fines.  If  the  information  is  disclosed 
to  state  or  local  officials,  it  may  not  be  used  for  any  purpose  other  than  the  protection 
of  critical  infrastructures,  and  it  may  not  be  disclosed  under  state  disclosure  laws. 
The  protections  afforded  protected  information  under  this  statute  do  not  result  in 
waiver  of  any  privileges  or  protections  provided  elsewhere  in  law.  Finally,  no 
communication  of  critical  infrastructure  infonnation  to  the  Department  of  Homeland 
Security  shall  be  considered  to  be  an  action  subject  to  the  requirements  of  the  Federal 
Advisory  Committee  Act.46 

For  information  to  be  considered  protected,  it  must  be  accompanied  with  a 
written  marking  to  the  effect  that  “this  information  is  voluntarily  submitted  to  the 
federal  government  in  expectation  of  protection  from  disclosure  as  provided  by  the 
Critical  Infrastructure  Information  Act  of 2002  [the  name  given  to  Subtitle  C].”  The 
Secretary  is  to  establish  procedures  for  handling  the  information  once  it  is  received. 
Only  those  agency  components  or  bureaus,  designated  by  the  President  or  the 
Secretary  of  Homeland  Security,  as  having  a  Critical  Infrastructure  Program  may 
receive  critical  infrastructure  infonnation  from  the  Department. 

The  above  protections  for  information  voluntarily  submitted  by  a  person  or 
entity  to  the  Department  of  Homeland  Security  do  not  limit  or  otherwise  affect  the 
ability  of  a  state,  local,  or  federal  government  entity,  agency  or  authority,  or  any  third 
party,  under  applicable  law,  to  obtain  critical  infrastructure  infonnation  (including 
any  information  lawfully  and  properly  disclosed  generally  and  broadly  to  the  public) 
and  to  use  that  information  in  any  manner  permitted  by  law.  Submittal  to  the 
government  of  information  or  records  that  are  protected  from  disclosure  is  not  to  be 
construed  as  compliance  with  any  requirement  to  submit  such  information  to  a 
federal  agency  under  any  other  provision  of  law.  Finally,  the  bill  does  not  expressly 
create  a  private  right  of  action  for  enforcement  of  any  provision  of  the  Act. 


46  The  Federal  Advisory  Committee  Act  (FACA)  requires  that  the  meetings  of  all  federal 
advisory  committees  serving  executive  branch  entities  be  open  to  the  public.  The  FACA 
specifies  nine  categories  of  information,  similar  to  those  in  FOIA,  that  may  be  permissively 
relied  upon  to  close  advisory  committee  deliberations.  5  U.S.C.  App.  2. 
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S.  2452,  Section  198. 

S.  2452,  National  Homeland  Security  and  Combating  Terrorism  Act  of  2002, 
as  agreed  to  by  the  Senate  Govermnental  Affairs  Committee  on  July  25,  2002, 
exempts  a  “record”  pertaining  to  the  vulnerability  of  and  threats  to  critical 
infrastructure  (as  defined  in  the  USA  PATRIOT  Act)  furnished  voluntarily  to  the 
Department  of  Homeland  Security  from  being  made  available  under  FOIA.  A  record 
is  covered  by  the  bill  if  the  provider  would  not  customarily  make  the  record  available 
to  the  public.  It  also  requires  the  provider  to  designate  and  certify,  in  a  manner 
specified  by  the  Department  of  Homeland  Security,  that  the  record  is  confidential 
and  not  customarily  made  available  to  the  public. 

Unlike  the  House  bill,  the  Senate  bill  does  not  include  a  definition  of  “critical 
infrastructure  information.”  However,  the  bill  covers  “records  pertaining  to  the 
vulnerability  of  and  threats  to  critical  infrastructure  (such  as  attacks,  response,  and 
recovery  efforts).” 

A  record  is  submitted  voluntarily  if  it  was  submitted  to  the  Department  of 
Homeland  Security  “in  the  absence  of  authority  of  the  Department  requiring  that 
record  to  be  submitted,”  and  it  is  not  submitted  or  used  to  satisfy  any  legal 
requirement  or  obligation  or  to  obtain  any  grant,  pennit,  benefit47,  or  other  approval 
from  the  federal  government. 

Agencies  with  which  the  Department  of  Homeland  Security  shares  protected 
records  are  bound  by  the  FOIA  exemption.  FOIA  requests  for  protected  information 
must  be  referred  back  to  the  Department  of  Homeland  Security,  and  the  Department 
may  provide  any  portion  of  the  record  that  is  reasonably  segregable  from  that  part 
of  the  record  which  is  exempt  from  disclosure,  after  deleting  the  protected 
infonnation.  The  bill  also  allows  the  provider  of  a  record  that  is  furnished 
voluntarily  to  the  Department  of  Homeland  Security  to  withdraw  the  confidential 
designation  at  any  time  in  a  manner  specified  by  the  Department. 

S.  2542  allows  an  agency  which  has  received  independently  of  the  Department 
a  record  “similar  or  identical”  to  that  received  by  the  Department,  to  disclose  the 
record  under  FOIA.  The  Senate  bill  does  not  preempt  state  or  local  disclosure  laws 
if  the  state  or  local  authority  received  the  information  independent  of  the  Department 
of  Homeland  Security,  nor  does  it  contain  any  civil  liability  immunity,  or  criminal 
penalties. 

The  Secretary  of  the  Department  of  Homeland  Security  is  directed  to  prescribe 
procedures  for:  acknowledging  the  receipt  of  records  furnished  voluntarily;  the 
certification  of  records  furnished  voluntarily  as  confidential  and  not  customarily 
made  available  to  the  public;  the  care  and  storage  of  records  furnished  voluntarily; 
and  the  protection  and  maintenance  of  the  confidentiality  of  records  furnished 
voluntarily. 


47  Benefits  include  agency  forbearance,  loans,  or  reductions  or  modifications  of  agency 
penalties  or  rulings.  Benefits  do  not  include  warnings,  alerts,  or  other  risk  analysis  offered 
by  the  Department. 
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Finally,  the  Senate  bill  requires  the  Comptroller  General  to  report  to  Congress 
on  the  implementation  and  use  of  the  above  protections.  The  report  shall  include  the 
number  of  persons  in  the  private  sector  and  the  number  of  state  and  local  agencies 
that  furnished  records  voluntarily  under  these  provisions,  the  number  of  requests  for 
access  granted  or  denied  under  these  provisions,  and  any  recommendations  regarding 
improvements  in  the  collection  and  analysis  of  sensitive  information  related  to  the 
vulnerabilities  of  and  threats  to  critical  infrastructures. 

In  sum,  significant  differences  exist  between  H.R.  5005  and  S.  2452.  These 
differences  include  the  scope  of  the  information  protection;  the  type  of  information 
covered  and  exempted  from  FOIA;  the  definition  of  a  voluntary  submission;  the 
other  purposes  authorized  for  use  or  disclosure  of  the  information;  the  disclosure  of 
information  with  the  consent  of  the  submitter;  the  permissibility  of  disclosures  of 
related  information  by  other  agencies;  immunity  from  civil  liability;  preemption;  and 
criminal  penalties. 

Issues  and  Concerns 

The  general  concerns  of  the  owners  and  operators  of  critical  infrastructure  are 
that  the  type  and  breadth  of  information  they  are  being  asked  to  submit  on 
vulnerabilities,  incidents,  remedies,  etc.,  if  made  available  to  competitors  or  to  the 
general  public,  could  harm  their  public  relations,  compromise  their  competitive 
position,  expose  them  to  liability,  or  disclose  sensitive  infonnation  to  terrorists  and 
others  who  might  wish  to  disrupt  the  function  of  their  infrastructure.  It  is  their 
position  that  crafting  a  specific  exemption  to  FOIA  in  statute  (i.e.,  a  (b)(3) 
exemption)  would  provide  the  greatest  legal  protections  for  the  infonnation  they 
share.  They  believe  that  a  narrowly  tailored  (b)(3)  exemption  would  eliminate 
agency  discretion  to  disclose  protected  infonnation  in  response  to  a  FOIA  request. 
In  addition,  given  the  federal  government’s  need  to  share  sensitive  business 
information  for  homeland  security  purposes  with  state  and  local  officials,  owners  and 
operators  also  seek  federal  preemption  of  state  and  local  disclosure  laws.  Owners 
and  operators  are  concerned  that  some  of  this  information  could  make  them  subject 
to  liability  in  unforeseen  ways. 

A  number  of  public  interest  groups  have  expressed  their  opposition  to  the 
protections  being  proposed,  particularly  those  contained  in  the  House  version.4S  The 
primary  concern  is  that  the  type  of  information  exempted  from  FOIA  is  too  broadly 
defined,  and  could  allow  any  company  claiming  to  be  an  owner  or  operator  of  a 
critical  infrastructure  to  voluntarily  submit  almost  any  kind  of  information  in  order 
to  protect  the  information  from  disclosure  under  the  FOIA.  Critics  also  believe  the 
definition  adopted  from  the  USA  PATRIOT  Act  of  critical  infrastructure  is  too  vague 
in  both  bills. 


48  Some  of  the  groups  that  have  expressed  concern  include  the  American  Civil  Liberties 
Union,  the  Electronic  Privacy  Information  Center,  Natural  Resources  Defense  Fund,  the 
Society  of  Professional  Journalists,  and  the  U.S.  Public  Interest  Research  Group.  For  a 
sample  of  the  groups  that  have  joined  in  opposition  and  their  rationales,  see 
[http://www.ombwatch.Org/article/articleview/943/l/18/cleanwateraction.org]. 
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The  House  bill  also  covers  information  regarding  an  attack,  or  similar  conduct, 
that  violates  law  or  harms  interstate  commerce.  According  to  one  critique,  the 
language  “or  similar  conduct”  and  “harms  interstate  commerce”  is  broad  and  could 
include  non-criminal  or  inadvertent  incidents  that  cause  temporary  interruption  of 
nonnal  business  operations.49  The  criticism  goes  on  to  state  that  the  purposes  for 
which  the  information  may  be  used  (and  therefore  contributing  to  the  definition  of 
what  kind  of  information  may  be  protected)  includes  analysis,  warning, 
interdependency  study,  recovery,  reconstitution,  or  “other  informational  purposes.” 
According  to  the  critique,  “other  infonnational  purposes”  covers  untold  amounts  of 
information,  some  of  which  may  have  been  previously  available  to  the  public. 

These  groups  also  are  concerned  that  infonnation  currently  collected  by  various 
agencies  and  available  to  the  public  could  now  be  protected  from  disclosure  if 
submitted  to  the  Department  of  Homeland  Security  initially  as  critical  infrastructure 
information.  This  is  particularly  an  issue  in  the  area  of  environmental  law  relating 
to  a  community’s  right  to  know.50  Both  bills  state  that  the  protections  are  granted 
“notwithstanding  any  other  provisions  of  law.”  Under  current  law  (the  Emergency 
Planning  and  Community  Right-to-Know  Act,  P.L.  99-499, 42  USC  11001-1 1050), 
facilities  handling  certain  toxic  substances  in  excess  of  a  threshold  amount  annually 
must  report  to  the  Enviromnental  Protection  Agency  and  local  officials  the  maximum 
and  average  daily  amounts  of  such  substances  that  they  had  on  hand  during  the 
previous  year;  the  location  of  such  chemicals  within  the  facility;  and  estimates  of 
how  much  was  released  into  the  environment  as  part  of  normal  handling  and 
processing.  In  addition,  in  the  event  of  an  accidental  release  above  a  threshold 
amount,  facilities  immediately  must  report  the  amount  released  to  local  officials. 

The  1990  amendments  to  the  Clean  Air  Act  (which  were  passed  in  P.L.  101- 
549,  Section  301 ,  amending  42  USC  7412)  made  it  the  duty  of  owners  and  operators 
of  facilities  producing,  processing,  handling,  or  storing  certain  extremely  hazardous 
substances:  to  identify  hazards  that  may  result  from  releases;  to  design  and  maintain 
a  safe  facility;  and  to  minimize  the  consequences  of  accidental  releases  which  do 
occur.  To  prevent  accidental  releases,  the  Act  requires  facilities  handling  such 
substances  to  develop  “risk  management  plans.”  Among  the  items  included  in  these 
plans  are  an  accounting  of  any  accidental  releases  of  those  substances  over  the 
previous  five  years;  estimates  of  the  quantities  of  chemicals  that  might  be  released 
in  the  event  of  an  accident,  including  a  worst-case  accident;  estimates  of  the  potential 
exposures  to  affected  downwind  populations;  a  program  for  preventing  releases;  and 
an  emergency  response  program  to  protect  public  health  and  the  environment  in  the 
event  of  a  release.  Under  the  1990  law,  public  disclosure  of  most  of  this  information 
(which  also  could  be  released  in  response  to  FOIA  requests)  is  required,  but  the 
details  of  the  off-site  consequence  analyses  (OCA)  for  hypothetical  accidents  are  not 
required  to  be  disclosed.  In  addition,  companies  may  claim  confidentiality  for  some 
submitted  information,  provided  they  can  support  that  claim. 


49  Problems  with  S.  1456,  Critical  Infrastructure  Information  Act.  National  Resources 
Defense  Council.  Although  directed  at  the  rewritten  version  of  S.  1456  that  was  never 
introduced,  the  language  at  issue  is  the  same  as  that  proposed  in  H.R.  5005.  The  critique  can 
be  found  at  [http://www.ombwatch.org/info/cii/nrdcproblems.html]. 

50  See  CRS  Report  RL31530,  Chemical  Plant  Security. 
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Security  concerns  arose  about  the  potential  utility  to  terrorists  of  risk 
management  planning  data,  just  as  EPA  was  planning  to  make  the  plans  widely 
available  to  the  public  via  the  Internet.51  Convinced  of  the  need  for  caution,  EPA 
agreed  not  to  post  OCA  data  on  its  website.  Nevertheless,  the  information  could  be 
obtained  electronically  using  FOIA,  and  several  public  interest  groups  announced 
that  they  would  do  so  and  post  the  data.  In  1999,  Congress  responded  by  again 
amending  the  Clean  Air  Act.  The  amended  Act  exempts  OCA  data  from  disclosure 
under  FOIA,  and  directs  EPA  to  limit  public  disclosure  as  necessary  to  reduce  risks. 
EPA  issued  a  final  regulation  on  data  access  on  August  4,  2000. 52  It  allows  the 
public  to  see  paper  copies  of  sensitive  OCA  infonnation  through  federal  reading 
rooms,  approximately  one  per  state,  and  provides  Internet  access  to  the  OCA  data 
elements  that  pose  the  least  serious  criminal  risk.  State  and  local  agencies  are 
encouraged  to  provide  the  public  with  read-only  access  to  OCA  infonnation  on  local 
facilities.  At  the  federal  reading  rooms,  members  of  the  public  may  read  OCA 
information  for  up  to  10  facilities  per  calendar  month  and  for  all  facilities  with 
potential  effects  in  the  jurisdiction  of  the  local  emergency  planning  committee. 
State  and  local  officials  and  other  members  of  the  public  may  share  OCA 
information  as  long  as  the  data  are  not  conveyed  in  the  fonnat  of  sensitive  portions 
of  the  RMP  or  any  electronic  database  developed  by  EPA  from  those  sections.53  A 
Clinton  Administration  proposal  to  implement  the  final  rule  (66  Federal  Register 
4021,  Jan.  17,  2001)  would  have  allowed  people  to  view  plans  of  facilities  outside 
their  local  area  and  enhanced  access  for  “qualified  researchers.”  The  draft  plan  was 
rescinded  by  the  Bush  Administration  (66  Federal  Register  15254,  Mar.  16,  2001). 
No  further  regulatory  action  has  been  taken  to  date. 

Critics  of  the  FOIA  exemption  for  critical  infrastructure  information  submitted 
voluntarily  with  the  appropriate  express  statement  are  concerned  that  the 
“notwithstanding  any  other  provision  of  law”  clause  could  possibly  exempt  from 
FOIA  information  about  facilities  handling  potentially  dangerous  chemicals  that  is 
currently  available  under  the  Emergency  Planning  and  Community  Right-to-Know 
Act  and  the  Clean  Air  Act. 

Some  public  interest  groups  are  concerned  that  the  breadth  of  information  that 
could  be  exempted  from  disclosure,  combined  with  the  prohibition  on  use  of  critical 
infrastructure  information  in  any  civil  suit,  could  give  owners  or  operators  of  critical 
infrastructures  an  “unprecedented  immunity”  from  complying  with  a  variety  of  laws 
(i.e.,  antitrust,  tort,  tax,  civil  rights,  environmental,  labor,  consumer  protection,  and 
health  and  safety  laws).  Another  concern  centers  on  a  perceived  lack  of  clarity  on 
whether  infonnation  obtained  independently  by  subpoena,  for  example,  could  be 
used  to  bring  civil  suit  (e.g.,  would  a  victim  of  chemical  exposure  be  precluded  from 


51  During  the  mid  to  late  1990s,  federal  agencies  were  facilitating  electronic  public  access 
to  governmental  information  in  response  to  congressional  directives,  such  as  the  Electronic 
Freedom  of  Information  Act,  P.L.  104-231,  and  presidential  initiatives,  such  as  “President 
Clinton’ s  Environmental  Monitoring  for  Public  Access  and  Community  Tracking”  program. 

52  65  Federal  Register  48107-48133. 

53  EPA  Fact  Sheet.  “Chemical  Safety  Information,  Site  Security  and  Fuels  Regulatory  Relief 
Act:  Public  Distribution  of  Off-Site  Consequence  Analysis  Information.”  EPA  550-F00-0 1 2, 
Aug.  2000. 
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suing  if  infonnation  previously  submitted  to  the  Department  of  Homeland  Security 
was  obtained  independently  from  the  company  by  subpoena). 

Another  argument  made  by  the  public  interest  groups  is  that  existing  FOIA 
exemptions  and  case  law  offer  sufficient  protections  to  owner/operators.  They  cite 
exemption  (b)(4),  which  allows  agencies  to  withhold  commercial  infonnation  that 
is  privileged  or  confidential,  if  by  disclosing  that  information,  the  competitive 
position  of  the  provider  is  harmed  or  the  ability  of  the  government  to  continue 
receiving  that  information  is  impaired.  An  exemption  from  FOIA  for  critical 
infrastructure  information,  they  argue,  would  promote  government  secrecy  and  harm 
public  access. 

These  groups  are  also  concerned  about  a  provision  they  say  gives  the  private 
sector  the  power  to  determine  what  information  is  to  be  protected,  simply  by 
including  an  express  statement  of  protection  from  disclosure  on  the  submission  to  the 
federal  government.  The  criminal  penalties  provided  for  the  unauthorized  disclosure 
of  protected  information  are  viewed  by  some  groups  as  essentially  an  anti¬ 
whistleblower  provision  designed  to  stifle  government  accountability.  Another  issue 
raised  by  the  groups  is  whether  a  submission  of  information  to  the  government  will 
be  treated  as  voluntary  in  situations  where  an  agency  has  not  exercised  its  authority 
to  compel  submission.  Finally,  the  groups  take  issue  with  the  provision  that 
preempts  state  and  local  freedom  of  information  laws. 

The  public  interest  groups  concerned  with  granting  specific  FOIA  exemptions 
have  expressed  a  guarded  acceptance  of  the  Senate  version.  They  feel  it  basically 
puts  into  statute  recent  FOIA  case  law  regarding  the  protections  afforded  confidential 
information  submitted  to  government  agencies  under  FOIA  exemption  4. 54 

Representatives  from  industry  have  responded  to  some  of  these  concerns  by 
stating  that  it  is  not  their  intent  to  evade  current  laws  and  regulations,  but  that  the 
extra  protections  are  needed  before  they  are  willing  to  voluntarily  submit  information 
that  might  be  used  against  them  later,  either  legally  or  competitively.  Under  the 
current  law,  companies  have  no  assurance  that  information  they  share  with  a 
government  agency  will  be  treated  confidentially,  and  agencies  are  not  required  to 
commit  to  confidentiality  at  the  time  of  disclosure.  Agencies  are  not  required  to 
initiate  the  FOIA  exemption  process  until  a  FOIA  request  is  received.  When  it  is 
received,  the  agency  is  asked  to  defend  the  information’s  confidentiality,  and  is  not 
required  to  inform  the  originator  if  it  believes  it  has  enough  infonnation  to  proceed. 
Industry  is  generally  in  favor  of  legislation  that  will  accomplish  the  goal  of 
encouraging  it  to  submit  security-related  information  without  fear  of  public 
disclosure.  Representatives  from  owners  and  operators  have  also  stated  that  they 
favor  a  narrow  exemption  so  as  to  cover  only  infrastructure  threat  and  vulnerability 
information.55 


54  Industry  Offers  Support  for  Scaled-Back  Senate  FOIA  Revisions,  Inside  EPA  (July  26, 
2002). 

55  Kenneth  C.  Watson,  President  Partnership  for  Critical  Infrastructure  Security,  Testimony 
Before  House  Subcommittee  on  Oversight  and  Investigation  on  “Creating  the  Department 
of  Homeland  Security:  Consideration  of  Administration’s  Proposal.”  (July  9,  2002). 
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Conclusion 

The  Senate  bill,  S.  2452,  is  scheduled  for  debate  the  week  of  September  2nd, 
2002.  If  the  Senate  passes  its  Homeland  Security  bill,  it  must  be  conferenced  with 
the  House  bill,  H.R.  5005.  During  conference,  negotiators  must  reconcile  two 
different  approaches  to  the  protection  and  disclosure  of  critical  infrastructure 
information.  Compelling  arguments  exist  on  both  sides  of  the  debate  for  and  against 
exempting  critical  infrastructure  information  from  the  Freedom  of  Information  Act. 


55  (...continued) 


